Project

General

Profile

Actions
Copy link

Bug #27847

closed

foreman-proxy-certs-generate uses a value for --foreman-proxy-cname to add a DNS record even if it is invalid

Added by Ewoud Kohl van Wijngaarden about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ewoud Kohl van Wijngaarden
Category:
Foreman modules
Target version:
Foreman - 1.24.0
Difficulty:
Triaged:
Yes
Bugzilla link:
1747581
Pull request:
https://github.com/theforeman/puppet-certs/pull/256, https://github.com/theforeman/puppet-certs/pull/259, https://github.com/theforeman/foreman-installer/pull/397, https://github.com/theforeman/puppet-certs/pull/260
Fixed in Releases:
Foreman - 1.24.0
Found in Releases:
Red Hat JIRA:

Description

foreman-proxy-certs-generate uses the value for --foreman-proxy-cname to add a DNS record in the SAN field regardless of that setting making sense or not. E.g. DNS:[] and DNS: <= empty string.

This is what foreman-proxy-certs-generate is generating for qpid-router-server.crt: (used by capsules' qdrouterd on port 5647 to listen to clients' goferds)

X509v3 Subject Alternative Name: 
                DNS:mycapsule.example.com, DNS:[]

The DNS:[] comes from the default value for --foreman-proxy-cname:
~~~
[root@sat65a ~]# foreman-proxy-certs-generate --help

(...snip...)

= Module foreman_proxy_certs:
--certs-tar Path to tar file with certs to generate (current: UNDEF)
--foreman-proxy-cname additional names of the foreman proxy (current: ["[]"]) <========= here
--foreman-proxy-fqdn FQDN of the foreman proxy (current: "sat65a.usersys.redhat.com")

Turns out, if you use `--foreman-proxy-cname ""` with `foreman-proxy-certs-generate` it will still generate certs with DNS:<fqdn>, DNS: <==== second DNS entry empty.

The problem is that puppet-strings parses the default as the string "[]" rather than an empty array [].

Actions
Copy link

Also available in: Atom PDF